ISO 22301
Knowledge Hub

ISO 22301:2019 — formally “Security and resilience — Business continuity management systems — Requirements” — is the international, certifiable standard for business continuity. It specifies requirements across Clauses 4–10 for a management system that keeps prioritised products and services running through disruption. Its operational core is a business impact analysis with RTO/RPO/MTPD targets, a disruption risk assessment, documented continuity strategies and plans, and a tested exercise programme.

Seven guides cover the full journey. If you are new to the standard, start with the ISO 22301 overview, then read the requirements guide for the clause-by-clause detail. When a bank or regulator has set a deadline, the certification guide explains the audit path, and the implementation roadmap sequences the build. The BIA guide goes deep on the analysis everything else depends on, the ISO 27001 comparison shows what is reusable from an existing ISMS, and the regulator mapping connects the standard to CBUAE, SAMA, and APRA CPS 230 expectations.

Three regulators dominate current demand. CBUAE business-continuity and outsourcing rules pushed UAE banks to require ISO 22301-aligned — and increasingly certified — BCMS from critical vendors, with the first contract-deadline wave landing in December 2025. Saudi Arabia’s SAMA Business Continuity Management Framework is mandatory for member organisations and is built directly on ISO 22301, with obligations flowing down to suppliers. And in Australia, APRA CPS 230 (in force since 1 July 2025) makes regulated entities responsible for the continuity of their material service providers. Enterprise procurement teams worldwide add a fourth driver: continuity clauses in contracts.

Plan on 8–14 weeks of preparation for a single-scope organisation — gap assessment, BIA and risk assessment, strategies and plans, exercises, internal audit, and management review — followed by the certification body’s Stage 1 and Stage 2 audits. Multi-site groups run longer; an existing ISO 27001 ISMS shortens the path because the Annex SL governance layer is shared. Certificates then run a three-year cycle with annual surveillance audits.

Every engagement is custom-scoped to your headcount, sites, regulator deadlines, and existing maturity, so we do not publish a rate card. After a short scoping call you receive a fixed, all-inclusive quote covering the gap assessment, BIA, risk assessment, documentation, exercises, internal audit, and certification-audit support — no hourly billing, no scope creep. The accredited certification body’s audit fee is quoted separately by that body, because the consultant and the certifier must remain independent.

No — and no consultant should. Certificates are issued only by independent, accredited certification bodies such as TÜV, BSI, or DNV after a Stage 1 documentation review and a Stage 2 implementation audit. TCSA builds the BCMS, runs the BIA and exercises, conducts the internal audit, and supports you through both audit stages. Keeping the consultant and the certifier separate is what the accreditation rules require.